DEFCON 2018 DFIR CTF Walkthrough (HR Server – Entry Name 2)

Happy holidays and I hope you have had as great of a break from the grind as I have. One of the projects I have been slowly working on is the DefCon 2018 DFIR CTF. Once I have any free time, this is the challenge that I go to. Tonight, I am working through the first image (of three) to see if I am able to find the password to the second image file and move on.

I am no expert, nor am I confident in my abilities, so please take everything I type with as much weight as a grain of salt.

I do understand that I was given two files in the download from https://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html

The evidence file, or “HRServer_Disk0.e01” is what we are really concerned with. Being that I am using a basically stock install of BackBox, I know that Autopsy is going to be my go-to tool for this. I fire it up, using the syntax “autopsy” and I am gleefully greeted by the following screen. Essentially, if you are investigating a piece of evidence, like a forensic copy of a disk, Autopsy, if you don’t have access to any paid services, is the way to go.

On the preceding screen, you can see that a web client should have been opened up and is ready for us to start forensicating. The web client for Autopsy feels really… REALLY out-dated, but it functions as well as it needs to.

You are able to point the app at the image and you should be greeted with a screen similar to this:

The challenge we are interested in solving tonight is this:

So we know we need to be able to parse the MFT for entry numbers to solve this challenge. Luckily for us, Autopsy does this natively, so long as you have a forensically sound image.

You need to click on “Meta Data” at the top of the web client and it will bring you to this page:

As you can see, on the top-left hand portion of the page, you have the ability to type in an MFT Entry Number and query whether or not there is anything of note at that address. for our purposes, we will stick to the challenge, and input the MFT Entry Number from the cahllenge hint: “168043”. We are then greeted by the following screen:

There is a lot of information here and for an investigation, it is a lot of great information, but for the purposes of thhis CTF, I will just take the name of the executable and prance on about my life with the points.

Entering the file name grants me the points and I can move on to the next challenge. In the following posts I will focus my energy and push my way into the 2nd image and provide some (hopefully beneficial) feedback and guidance on those challenges as well.


Leave a Reply

Your email address will not be published. Required fields are marked *